Modern automotive electronic control units (ECUs) continue to integrate an increasing number of functions. This trend is driven by the technology scaling on one side, enabling a high level of integration, and by the highly cost driven nature of the automotive industry that forces reduction in the total number of ECUs per car. Electronics play an increasing role in providing advanced driving assistance functions and especially in preventing hazards that will reduce the number of fatal injuries.
The integration of functions inside an ECU is mainly concentrated around a safe microcontroller that plays a central role by hosting critical acquisition, computation and control functions. The ISO 26262 safety standard provides a way to qualify the criticality of the software involved in a safety application. In a first step through hazard and risk analysis, each function is ranked. This leads to an Automotive Safety Integrity Level (ASIL) for each safety goal. As a consequence, there is a complex set of heterogeneous software components that interact together to provide the intended functionality and integrity.
The privilege levels found in conventional embedded processors are no longer sufficient to fulfill the software encapsulation requirements inherent to the ISO 26262 safety standard. Additionally, the software encapsulation requirements should not be limited to the execution of software inside a CPU but should address all the resources inside a microcontroller. The absence of the proper hardware and software infrastructure to support these software encapsulation requirements requires the construction of significantly complex virtualization layers at the software level which in turn requires an incredibly complex software architecture and consumes a significant portion of the CPU performance. As a result, these deficiencies make it difficult to reach the level of integration expected by the ISO26262 standard and can be a limiting factor in using the possible software integration capabilities of modern CPUs.
Some conventional microcontrollers have tried implementing virtual layers in software so that access to any resource is controlled by a trusted software layer before it is sent to dedicated hardware resources. However, such software is very dependent on the hardware platform and creates a large system bottleneck as the number of software tasks increase.
Therefore, there exists a need for a system and method for a safety hypervisor function that is enabled in both hardware and software. More specifically, there is a need for a new privilege layer that can be specified to any task running in a microcontroller.